If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

ZA and NAT32 < get a Router that has NAT built in

Does anybody have NAT32 successfully running on a computer protected by ZoneAlarm 10.0.246.000 (or any 10.0 version)? I'm having a terrible time getting the two to coexist!

My system: I have a second PC hung off my primary PC, connected by a CAT5e crossover cable (running from ethernet adapter to ethernet adapter). Internet access to the primary PC is provided via wireless. NAT32 is described as a "Windows Software Router." It runs on the primary PC and allows the second PC to access the Internet through the cable and the primary PC's Internet connection.

The technical specifics: On the primary PC, the ethernet adapter is assigned an IP address of 172.16.2.1. NAT32 takes that and creates a Private LAN with a gateway of 172.16.2.100. Clients then have to be assigned an IP address of 172.16.2.x (where x is a unique number other than 0, 1, 100 or 200). The ethernet adapter on my secondary PC is assigned 172.16.2.2, with the default gateway set to 172.16.2.100. The configuation is correct, because it works under certain circumstances (keep reading).

I have ZoneAlarm running on both machines, but the problem exists entirely with the installation on the primary PC. If I disable that installation of ZoneAlarm, NAT32 works without conflict and I can access the Internet from the second PC with no difficulty. However, if I turn on ZoneAlarm on the primary PC, the second PC cannot access the Internet; something about ZoneAlarm is blocking it. I've tried every configuration I can think of to allow access, but nothing's worked.

For example, I went into Application Control and customized the settings for NAT32 ("NAT32 Enhanced IP Router for Windows"). I checked both "This program may use other programs to access the Internet" and "Allow Program Interaction." I changed the Trust Level from "Ask" to "Trusted." That didn't fix the problem.

I went to Firewall Settings and created a new Trusted zone for the secondary PC (172.16.2.2). Again, no change. I deleted that and set up a Trusted zone for an IP range (172.16.2.1 to 172.16.2.100) that included everything controlled by NAT32. Once again, no change.

I even did all of the above at the same time. Still no change.

I'm just about at my wit's end. Any suggestions? I would have thought this would be a straightforward problem to resolve, but it's completely eluding me!

Re: ZA and NAT32

Are the "network" listed under the ZA zones set as TRUSTED?
Have you tried to reset the ZA settings and set the ZA program control to AUTO? Have you tried to fully remove ZA and re-install keeping all defaults?

Re: ZA and NAT32

Have you tried to reset the ZA settings and set the ZA program control to AUTO?

Yes. It made no difference.

Have you tried to fully remove ZA and re-install keeping all defaults?

Since your suggestion, yes. It also made no difference.

However, I've continued to explore different settings and I think I've gotten a lot closer to isolating the problem. I found that if I turn Application Control off (essentially giving all programs, including NAT32, free rein), it makes no difference. But if I turn off the Advanced Firewall, that makes all the difference! Then I can access the Internet from the secondary PC. That seems to indicate the problem is more traffic-related than program-related.

Furthermore, the security setting for the Trusted Zone has no effect on the problem, even when the NAT32 network is placed in the Trusted Zone. But the security setting for the Public Zone does change things. Dropping the Public Zone setting down to Medium allows Internet access for the secondary PC -- regardless of which zone the NAT32 network is in! So, more specifically, the problem seems to be traffic between the secondary PC and the Public Zone (i.e., the Internet).

Of course, I don't want to run my computer all the time with the Public Zone set to Medium security, as that will put me at a greater risk of infection. The obvious solution is to figure out the relevant difference between the Medium and High settings and fine-tune the High setting only as much as necessary to allow Internet access for the secondary PC.

That led me to the "Public Zone Security Settings" under "Advanced Settings" for the Advanced Firewall. There, you can control DNS, DHCP, ICMP, IGMP, UDP, TCP and NetBIOS connections for both the High and Medium security settings. To make a long story short, allowing connections for ICMP, IGMP, DNS and DHCP on the High setting made no difference; the Internet still couldn't be accessed from the secondary PC. On the other hand, if I had Public Zone security set to Medium (which allowed Internet access on the secondary PC), blocking NetBIOS, ICMP and IGMP connections didn't stop Internet access. My conclusion is that the problem, while traffic-related, isn't with any of DNS, DHCP, ICMP, IGMP or NetBIOS connections.

Which means it's almost got to be TCP-related, and there are ports that need to be allowed connections in order for the secondary PC to access the Internet. My dilemma is that, by default, the High security setting blocks TCP on all ports, while the Medium setting allows TCP on all ports. I can open up only specific ports under the High setting, but I have to know which ports -- and I don't. How do I determine precisely which ports are used when the secondary PC accesses the Internet through NAT32? Is there a third-party port use logger of some sort that I can install, which will show me that? Any suggestions would be most welcomed!

Re: ZA and NAT32

We suggest in this day and age get yourself a really inexpensive router that has NAT built in and that will resolve all these issues of a software nat.

Unfortunately, because of the peculiarities of the network situation here, a router won't resolve things. A dedicated generic wireless access point might, but those typically cost more than I want to throw at the problem.

Still, I think I've figured out a hardware-based solution that's fairly cheap and doesn't involve extensive ZoneAlarm configuration, and I should be implementing it in a couple of days. Thanks for the input!